A Developer s Guide to Securing Mobile Applications

Transcription

1 A Developer s Guide to Securing Mobile Applications

2 Copyright 2014 VASCO Data Security. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of VASCO Data Security Inc. Trademarks MYDIGIPASS.com, DIGIPASS & VACMAN are registered trademarks of VASCO Data Security. All other trademarks or trade names are the property of their respective owners. Any trademark that is not owned by Vasco that appears in the document is only used to easily refer to applications that can be secured with authentication solutions such as the ones discussed in the document. Appearance of these trademarks in no way is intended to suggest any association between these trademarks and any Vasco product or any endorsement of any Vasco product by these trademarks proprietors. VASCO reserves the right to make changes to specifications at any time and without notice. The information furnished by VASCO in this document is believed to be accurate and reliable. However, VASCO may not be held liable for its use, nor for infringement of patents or other rights of third parties resulting from its use.

3 Table of Contents Introduction Risks of Taking Your Business Mobile Communication Channel Data Storage Platform Provisioning Interface User Why Choose VASCO for Mobile Application Security About VASCO

4 Introduction There are now more mobile devices in use than there are people on the planet, and users are looking to access applications, consume services and conduct transactions via mobile, at anytime, from anywhere. And users are no longer satisfied with services limited to a single platform they want to be able to migrate seamlessly between all their different devices and as such, cross-platform and multi-channel is becoming the only realistic future for services and transactions. What s more, beyond the challenges of balancing user demands for simplicity with an increasingly complex mobile ecosystem, mobile applications are fraught with their own unique security challenges and threats that can put both organizations and their users in jeopardy. When it comes to mobile applications, we have to adapt fast. This guide will help you better understand today s mobile application ecosystem as well as its risks and challenges, and guide you on your way to an application security strategy that strengthens protection, reduces risk, and improves user experience, so you can meet the growing demands of the new mobile galaxy. 4

5 Risks of Taking Your Business Mobile Consumers want to use mobile for everything from banking to shopping to gaming. Businesses are creating an increasing number of applications to capture consumers who previously might have come into a physical shop or gone to the web. However, mobile is notoriously flawed when it comes to security measures. As you bring your services into the mobile ecosystem, there s great potential for expanding your business, but also great potential for threats to your organization as well as to your customers. It s important to understand all the different vectors where attackers may breach apps, and protect against them. The Open Web Application Security Project (OWASP) has published a list of the Mobile Top 10 Risks for Whereas certain risks relate to the user, such as weak server side controls or poor authorization and authentication, others relate to the security of the application itself, whether those are vulnerabilities in the security of application communication, storage, interface, platform, or even the provisioning process. OWASP Mobile Top 100 Risks M1-Weak Server Side Controls M2-Insecure Data Storage M3-Insufficient Transport Layer Protection M4-unintended Data Leakage M5-Poor Authorization and Authentication M6-Broken Cryptography M7-Client Side Injection M8-Security Decisions Via Untrusted Inputs M9-Improper Session Handling M10-Lack of Binary Protections Source: 2014 Open Web Application Security Project (OWASP) 5

6 When it comes to mobile applications, improving security across all areas of an application is critical. Vulnerabilities or weaknesses in any area of a mobile application can open an organization up to risk and may result in serious consequences, including data loss, fraud, loss of revenue, and even damage to brand reputation. Holistic Mobile App Security Communications Storage Platform Provisioning Interface User 6

7 Communications The communications channel carries all the information between the application and the central server, and therefore is a potential vector for data loss. A common pitfall in mobile application development is to depend on HTTPS alone as a secure channel. HTTPS offers privacy protection between a server and a browser on a device by ensuring that data is not being transmitted in plain text format, but an independent, cross-platform system and, more specifically, a secure or out-of-band channel is a critical security measure for mobile applications. Communications Client-side Injection Inter-Application Security Applications can be left exposed in a variety of ways, whether through unsecured networks or access gained through a pivot from other unsecured applications. Malicious code may be run on a device following infection through client-side injections including LDAP injection, Local File inclusion, JavaScript, or SQL injection. Establishing a secure channel from the server to the secure application that processes the requests, and blocking clear text requests are both highly effective in preventing injection attacks. Many applications on mobile devices interact with each other in a variety of ways. It may be as simple as tying login information together for Facebook, Twitter and Google, or more complex interactions such as identifying activities across different applications on the device. Inter-application security requires similar protections to that of network security, but also requires additional controls to ensure that commands between the different applications are valid and authorized. Protections need to ensure that if one application is breached, it cannot be used to make illegal calls to another application. Consider using a secure channel in this context, ensuring that only known and validated applications will be able to interact successfully with other applications on the device. 7

8 Client-server Security With a mobile application, data is typically exchanged in a client-server fashion, which can create the risk of sensitive data being intercepted or vulnerabilities exploited as data is being transmitted, because mobile apps are often running outside of the confines of corporate networks and are accessing services across the public Internet. Client-server security is necessary to ensure that communications between the mobile client application and the server are secure, valid and not intercepted or tampered with. A secure channel provides a secure communication between your server and a registered device (or a set of registered devices), independently of any existing protocol layer, and it should be able to perform using HTTP, HTTPS, Bluetooth, QR Code, etc., and also cross platform (same process fits all). To improve trust between client-server communications, authenticate the user running the application via any one of a number of authentication mechanisms, and store the uploaded data along with the authenticated user ID (and IP address). Again, it is important to remember that HTTPS should not automatically be considered a secure channel when it comes to client-server security. On its own, HTTPS cannot ensure that information itself is coming from a secure source - it may be subject to systemic attacks if root certificates are compromised, and cannot prevent a rogue device from successfully being used in critical operations, including authentication or transfer. 8

9 Storage Mobile applications often require that data be stored on the mobile platform, but that data needs to be secured to prevent access by unauthorized applications or devices. Insecure data storage can result in data loss for one user, or many, and can include anything from user names, passwords, location data, stored logs, cached messages and transaction histories. Storage Insecure storage is a major issue if a device is stolen, as well as for devices that are still in the proper owner s hands, because it is possible for another application to access improperly-stored data. Device storage can be breached even if the application is not directly breached, so application developers need to consider the types of information that will be stored on the devices, where, and for how long. applications should be designed to delete as much data as possible from the device, or integrate an independent, low level secure storage set of functions that can safely maintain persistent data between authenticated sessions. 9

10 Leaked Information Multi-device Management Unintended data leakage occurs when sensitive information or data is inadvertently placed in a location on the mobile device that is accessible by other applications on the device. Typically, this originates from the underlying mobile device s operating system (OS). Where storage or caching of information is necessary, consider using a standard ios encryption library. For particularly sensitive applications, consider using whitebox cryptography solutions that avoid the leakage of binary signatures found within common encryption libraries. Lost or Stolen Devices A lost or stolen device is cause for concern. Once a device is in the hands of an unauthorized user, the data on the device becomes vulnerable. Unfortunately, users often do not report the loss of a personal device to their IT department, even if it is being used with corporate systems or with corporate applications. Therefore, it is essential to deploy proactive and applicationspecific strong authentication, encryption, and client-side security measures. Users often have a set of mobile devices they regularly use: laptops, smartphones, tablets, etc. The device ecosystem is a major consideration in application security, and this is especially true for mobile banking and e-banking. Ecosystem management should offer the capacity to repudiate devices, and to wipe critical data in case of device loss. Further, the user should not be restricted to use only a specific device when connecting, and usage of pre-registered devices should be allowed securely by design. Encryption and Cryptography The exploitation of vulnerabilities in cryptography is fairly common, because encryption standards are constantly being tapped and cracked by hackers, and methods are subsequently changed to address new exploits. It s important to understand, evaluate and implement the latest encryption methods for storing data on mobile devices, as hackers continually work to find new vulnerabilities. Using best in class methods such as white box cryptography as well as application hardening techniques with frequent updates can ensure the strongest protection of your application. 10

11 Platform Platform One of the primary areas for security risk is on the mobile platform itself, because your application will be affected by whatever is on the device where your application is installed. If the device itself is insecure, your application is at risk, and if other applications on the device are compromised, it can affect your application as well. Geolocation Device Binding Geolocation is important for both regulatory and security considerations. It is critical to ensure that geolocation can t be altered when sent to a server, while at the same time application providers must comply with ethics rules related to the privacy of users. From a compliance perspective, different countries or regions may have regulations regarding access to particular applications based on location. While an App Store can block the download of an application for users in a particular region, once an application is installed on a device, additional measures need to be implemented to make sure that the installed application cannot be used in a restricted geography. Device binding (sometimes known as device association) links a device during the initial activation and registration to a specific user for the lifecycle of the device. It is important to clearly determine what device or devices are associated with the user to adequately ensure the possession status. Further, by enabling device binding you can ensure that only registered devices will be eligible for successful access to an application. Further, having an indication of the user s location when authenticating can be beneficial when the mobile device is being used as an out-of-band authentication platform. In this case, both locations, the IP location of the computer and GPS location of the mobile device, can be cross-checked and validated before access is allowed. 11

12 Jailbreaking and Rooting Malware Detection Jailbreaking and Rooting are used to exploit or expose weaknesses in a mobile device OS with the goal of changing OS-level modules and/or access rights. Having this type of system hook on a smartphone definitively alters the level of trust within multiple components of the device, including keyboard access, display, storage and even memory access. Rooted and jailbroken devices are considered highly insecure because the user is voluntarily installing the root or jailbreak system to access alternate App Stores or to run an OS extension that is not in the original distribution. It is imperative that an application is run in a controlled environment, because a secure mobile application provides a critical authentication mechanism that is used to grant a user access to a resource on a server. To that end, application developers and providers must make sure that their applications can not only detect a rooted or jailbroken device, but also have the capacity to react accordingly. Malware detection is a corporate policy standard on some endpoint devices (including desktops, servers and laptops), but it hasn t yet become a standard on mobile devices. With mobile devices becoming one of the most prolific endpoint devices for users, malware is an increasing problem. Mobile malware comes in the form of malicious programs, key trackers, and malware that is hidden within the code of libraries and embedded in applications. Malware protection is a crucial part of application protection for all developers today. The most obvious solution is to require all users to install malware protection on their devices. Other precautions can include user education or implementation of mobile security policies. When developing an app, it makes sense to develop the app with the assumption that malware may be on any device where the app is installed. 12

13 Debugger and Emulator Detection Session Handling When a skilled attacker gains access to a mobile development platform, the attacker can launch the application on a debug platform, and potentially access memory zones that are normally protected. This allows the attacker to reverse engineer or find exploits within the application. Applications in production should restrict themselves to run only on the live platform, not in emulation environments, reducing the risk of reverse engineering or transparent repackaging. Session management involves enforcement of timeout thresholds that are customized for mobile devices. Because a mobile user may be distracted by an incoming phone call, or by something in their environment, it is wise to implement timeout thresholds that are shorter for mobile devices versus desktop or laptop devices. Advanced session management can also involve shutting down a session automatically if other applications are accessed, however, caution is advised. Often, a user will need to access or make a phone call to get additional information while using a particular application, so it is important to understand the particular function of the application before implementing session management restrictions. 13

14 Binary Protection Binary protection fundamentally protects the source code of the application on a mobile device. Binary code that is not properly hardened and secured can often be downloaded from a device, and be re-engineered at the source code level. Although it is not simple to detect when code has been reverse engineered, a number of methodologies are available to detect code modification at runtime. For Android devices and applications, for example, most tools for reverse engineering are available for free. A binary that has been tampered with can be re-loaded and distributed onto a device. Types of hacks on binary code include: Insertion of malware and password trackers Removal of jailbreak and root pass protection Copying of data from apps Cryptographic key replacement Presentation layer modification to perform unauthorized operations Bypass of security controls Access of malicious code from within the app Binary code needs to be protected on three levels: Security Libraries, Library Calls, and code unrelated to Security Libraries. A variety of techniques can be used to harden application source code. Methodologies include obfuscation, encryption, object renaming, detection, authentication, internal checks and verification, jailbreak detection, swizzle detection, vulnerability testing, and alerts. Such methods should be considered and implemented at the programming stage. If these methods are not implemented in pre-production, they can be addressed and implemented in production through tools designed to harden and protect application source code. Coding Practices Many applications are developed without security in mind. Developers are often given specs for the functionality of the application, but specifications for secure code are not always a part of the product definition. Further, secure coding standards can vary depending on the specific coding language and the libraries being used for the application development. Best practices for secure coding include validating input, header compliance, secure architecture, default denial of access, least privilege principles, data sanitization, encryption, quality assurance, vulnerability scanning, penetration testing, secure session management, authentication, and intelligent practices regarding where to store data and how long it should be stored. coding practices are an important part of application security but can never completely guarantee the security of an application. No matter how well trained a coding team is in security best practices, additional security measures, especially those that are simple to consistently integrate in the development phase, can be critical to the security of your application. 14

15 Provisioning Provisioning User Activation Cross Platform Support First-time activation can be one of the most critical moments in the provisioning process, because it informs almost all identification information, including device registration. A secure provisioning process will ensure that the initial installation and login are attributed to the correct user. Provisioning needs to be secure and flexible, and to comply with local regulations and corporate policies. The process has to work both online and offline. In some installations, provisioning will include device registration and/or push notification registration, so the provisioning process should take into consideration the fact that users will have to register more than one device. Therefore, applications need to implement secure provisioning of cryptographic keys to the set of devices associated to a user, in a cross platform manner. With cost-reduction and time-to-market as major concerns for application developers, many applications are developed in cross platform format. It s crucial to be aware of the dangers of this approach when it comes to security. The number of devices and operating systems is fundamentally endless, and at any given time, this broad landscape of devices and operating systems can be subject to security flaws, breaches, or hostile infiltrations. A cross platform solution with an independent set of pre-built functions that work across different platforms can reduce complexity, time and resource requirements and dramatically increase speed to market because separate code does not have to be developed and maintained for each platform variation. 15

16 Interface An insecure mobile interface can lead to both compromised user data and unauthorized control over a mobile device. If user credentials (user name and password) are easy to guess, or user name and account enumeration is possible, attackers can leverage malware to gain access to data or application controls through the mobile interface. Taking measures to secure the mobile interface can be critical to the overall security of the mobile application. Interface Input and Display PIN Verification Many malicious programs implement resource hooking techniques for various purposes - to intercept keystrokes, gain notification of sensitive information inputs (like account or password information) or to intercept or tamper with critical system information. When a user is accessing a resource or inputting sensitive transaction data into the mobile device, it s critical that only the designated application can access that information during the session, to prevent malicious interception of data between device input and the application process. For example, for a mobile application that requires access the device keyboard, ensure that this application is the only process authorized to access the keyboard during the session to prevent any malicious attempts to intercept user input. A secure PIN is used to protect an application from unauthorized usage. During a mobile application session, the end user enters the PIN to generate an OTP, generate a signature, or perform a change action. The PIN entered is used to retrieve the Dynamic Vector Key, which is an encryption key derived from both the PIN and the serial number of the authenticator. There are several PIN Verification Levels, but it is recommended to use the Checksum level, in which the Checksum (1 byte) of the PIN is stored in the dynamic vector, and is used to validate the entered PIN. The Checksum level, when it is associated with slow down functionality and lock control manage on the server-side, is the best way to protect against a brute force attack - it makes a PIN discovery irrelevant as only a Checksum of the PIN is stored inside the device itself. 16

17 Biometrics Mobile devices often contain information about a user s identity as well as sensitive personal and payment information, so in addition to ensuring that only authorized users are accessing an application from the mobile device, it is equally important to secure the device itself, to protect sensitive data or PII (Personally Identifiable Information) contained on the device. By implementing a mobile application that requires both fingerprint identification on the smartphone or tablet, in combination with a secondary authentication scheme such as a secure PIN, developers can enhance security for the application and ensure the authenticity of the user. Risk-Based Scoring Threats and fraud continue to increase, leaving organizations with multiple levels of exposure. It is imperative for developers to incorporate more intelligent security measures at the point of user authentication, yet it is equally important to balance that with user requirements for convenience. This is especially relevant when it comes to mobile applications. Risk-based scoring bases access decisions on a dynamic series of circumstances. The risk-based tools work silently in the background, to collect and score an application login based on a series of quantifiable metrics, including role, location, and user activity, as well as changes to the typical behavioral patterns of the user. When using a riskbased scoring model, access to the application goes through a series of trust hurdles, with riskier applications and behaviors requiring more security, although users don t necessarily even know that their logins are being vetted more carefully. In addition to reducing risk and providing an improved user experience, risk-based scoring can be invaluable for mobile applications. Since mobile devices can be lost or stolen, having adaptive controls on authentication can be used to determine context and usage to provide better security here. Devices can be scored based on a particular combination of circumstances, so if a user is connecting from a different city or country, this increases risk and presents the user with additional authentication requirements, which can often thwart unauthorized or malicious activity. 17

18 User Any type of financial or business application must include an additional layer of protection to verify the identity of the user, and because of the nature of mobile devices and applications, this is even more critical. Multiple options exist to ensure the protection of users and can be built directly into a mobile application. User Selecting the right authentication method is typically determined by taking into account the value of the application data, as well as consideration for the user experience. While some authentication methods may reduce convenience for users by requiring additional devices or additional steps to gain access, it is important to balance the need for convenience with the security of the data that is accessed from the application when selecting your solution. Several types of authentication are available and can be built in to an application. 18

19 Multi-factor authentication requires the user to have an additional device or access to an additional methodology in order to log in to the application. Multi-factor authentication is typically defined as something you have and something you know. That is, you need to be in possession of the authentication device (such as a hard or soft token), plus have a unique passcode. Certificate-based authentication strengthens the authentication process by using a certificate issued by a certificate authority, which guarantees the link between a physical identity and the cryptographic public key. The user is automatically logged in to the application, but must then further authenticate the certificate to establish a trusted session. Biometric authentication, or the ability of mobile phones and applications to recognize individuals by fingerprints, facial recognition, or other means is still in its infancy. Expect to see fairly reliable technologies becoming mainstream by Biometry is used as convenience factor, replacing PIN entry or acting as a transparent authentication layer in scoring. Score-based authentication is similar to behaviorbased authentication in that it recognizes user patterns and gives scores to behavior based on the risk factor. In high-risk situations, specific financial transactions, such as a money transfer, can be blocked. Both the user and the administrator would then be warned about the suspicious behavior. Score-based authentication can be computed and/ or evaluated on either client side or server side. Behavior-based authentication applies additional intelligence to user patterns and requires users to authenticate their identity if any unusual activity is detected. For example, if the user is accessing the application from an unusual location or an unfamiliar device, or if there were multiple attempts to log in to the application, the situation would be considered high-risk, and additional authentication measures would be requested. Behavior-based technologies identify normative behavior and warn or lock use when behavior does not fit within the recognized baseline. 19

20 Visual Transaction Signing/QR Codes Visual Transaction Signing offers an intuitive and visual authentication and transaction signing option for the user, and can not only help reduce attacks and fraud, but also can conserve IT resources that are often consumed by help desk support requests and password resets. Visual Transaction Signing ensures that only an authorized user (and not malware) can validate a transaction, which can prevent some of the most prevalent Trojan-based attacks (like Man in the Middle Attacks and Man in the Browser Attacks). Visual Transaction Signing easily allows the user to visually review and approve a transaction, and the content of the signed message cannot be changed. Visual Transaction Signing presents the user with a unique visual challenge for transaction validation (typically a graphical cryptogram or QR Code consisting of a matrix of colored dots displayed on a PC screen). By simply using the camera in the mobile device, the user captures the cryptogram by photographing the PC screen. The user is then presented with critical transaction information, like payment details, which have been decoded securely from the visual cryptogram image. The user can then check transaction details on the mobile device to confirm that this transaction is genuine and payment instructions have not been altered. An authentication code is then generated on the device and is passed back to the application server to complete the transaction. Some industries are required by regulations to deploy out-of-band authentication, and in these cases, QR codes can offer an easy way to comply because they don t require an online connection. QR technology is also suited to non-electronic channels, which enables even more flexibility for organizations looking for a solution that can scale with them as they grow into new channels. For mobile authentication, QR codes should be dedicated to a device, or a set of devices that are linked to a specific user, in order to improve user convenience as well as security, and ensure the best possible customer adoption rates. Out-of-band Login Support Out-of-band (OOB) authentication is a method of verifying a user s identity using a channel other than the one being used to facilitate the transaction. In some cases, two-factor authentication could be breached if a perpetrator has access to , for example, through the same smartphone carrying the one-time password (OTP). By using OOB, it s not sufficient to know the password and login information, but also to be using an authenticated methodology of accessing the account. Selecting the right authentication method is typically determined by taking into account the value of the application data,as well as consideration for the user experience. 20

21 Risk Based Analysis Risk-based analysis works as follows: When generating credentials, an authentication application, or an application using two-factor authentication should indicate the level of trust that the platform reached with the client while generating the credential. Ideally, this information should be protected with strong cryptography and should be impossible to change without invalidating the authenticated process. One of the ways that strong cryptology is implemented is through time-based one-time passwords (OTP). Provisioning the cryptographic information is one of the most important issues, to ensure that the initial creation of the user is accurate. Errors in provisioning can mean that an unauthorized user has the credentials to make them appear authorized, so it s absolutely essential to make sure that the provisioning process is initially correct The collection of information starts. Each item is evaluated and goes through a client-side decision policy. At each evaluation, an action can be selected. If no stop flags have been raised, the Client Score Policy is evaluated for each item, giving them a weight in the global score. A score is created. At OTP generation, the score is injected into the OTP. The OTP is validated by the server. The score is extracted from the OTP and provided for an independent evaluation (logging, injection into an existing RBA, or in-house decision engine, etc.). If the two-factor authentication process is validated, a server-side process can extract the context on the clientside when generating the OTP, in order to provide more accurate information to a risk-based analysis process. Score-based Authentication Geolocation Action 1 Context OS Version Action 2 Platform Jailbreak & Rooting Client Score Policy Score Calculation OTP Injection Action 3 Malware Action 4 PIN Activated Action 5 OTP Validation OTP Extraction Server Score Policy User Behavior Analysis Action 6 Biometric... 21

22 A Unified Approach to Mobile Apps Mobile applications are changing the way business is done, offering instant access to services for your users. Unfortunately, attackers are taking advantage of the many complexities created by the mobile ecosystem to exploit vulnerabilities, resulting in sophisticated fraud schemes and theft of sensitive data. When it comes to your mobile applications, VASCO can help you ensure the right levels of security, without creating additional challenges for your mobile users. Communications Go beyond HTTPS with end-to-end encryption which introduces a new level of service between server and client applications and provides the necessary secure channel for sensitive data. Interface An insecure mobile interface can lead to both compromised user data and unauthorized control over a device. Implement security measures that protect against brute force, resource hooking and dictionary attacks. Platform Ensuring the continuous integrity of the mobile platform through tools like root/jailbreak detection, malware detection, and device binding is critical to the security of the mobile app. Provisioning and flexible deployment, provisioning, and activation capabilities, as well as protocol independent features will help to secure and streamline the process, even across multiple platforms. Storage Mobile apps often require data be stored on the platform. Prevent access by unauthorized applications or devices by encrypting application data, independent of operating system or device. User The convenience and simplicity of your app will have a tremendous impact on user adoption rates. Balance security requirements for your app while reducing manual input required by the user. VASCO s solutions for mobile security bring new and inter-connected levels of protection to your mobile applications. With VASCO, all core components of your application can now be secured at every level, with protection that is easily integrated, transparent to users, and designed to keep developers focused on what matters creating new features that drive business forward. DIGIPASS for Apps is a comprehensive developer s toolkit (SDK) that natively integrates complete mobile security, two-factor authentication and electronic signing into your mobile applications. Through a robust library of APIs, you can extend and strengthen security for your applications and deliver unprecedented convenience to your users, while streamlining the application deployment and lifecycle management proccess. DIGIPASS for Mobile balances the need for stronger mobile security with user demands for convenience by delivering a frictionless, hands-free two-factor authentication and e-signing experience along with built-in application security to ensure that any application running on a mobile platform is self-protected in all the aspects of application runtime. And when combined with DIGIPASS for Apps, DIGIPASS for Mobile offers a comprehensive and integrated security framework for your mobile applications. 22

23 Why Choose VASCO for Mobile Application Security? Banking-level Security Streamlined Development & Deployment VASCO enables millions of users to conduct even the most sensitive transactions securely on mobile devices. Some of the leading financial and consumer organizations around the world, including HSBC, Santander, Citibank, Rabobank, KBC, Bank of America, BNP Paribas Fortis, ING and ABN AMRO, trust VASCO to secure their mobile applications. Comprehensive Mobile App Protection Bring new, inter-connected levels of security to your application to reduce threats and combat fraud. With VASCO s solutions, all core components of a mobile application can now be secured at every level, and protection is easily integrated, without performance disruptions or end user visibility. VASCO s solutions have been designed to be flexible and friendly for application developers, so they can focus on application features that drive new business opportunity. VASCO also offers full-service implementation support for any component of your project, from design to publishing. Improved Risk-based Analysis Risk scoring that is driven by user, platform and context elements is embedded into the authentication process, meeting requirements for enhanced server-side analytics and streamlined compliance management. Hands Free Mobile User Experience With broad, flexible, fully integrated two-factor authentication and electronic signing options, you can deliver on the simplicity and convenience demands unique to your mobile users, even for the most sensitive transactions. VASCO can help you secure your mobile applications at every level. Visit to learn more. 23

24 About VASCO VASCO is the world leader in providing two-factor authentication and digital signature solutions to financial institutions. More than half of the Top 100 global banks rely on VASCO solutions to enhance security, protect mobile applications and meet regulatory requirements. VASCO also secures access to data and applications in the cloud, and provides tools for application developers to easily integrate security functions into their web-based and mobile applications. VASCO enables more than 10,000 customers in 100 countries to secure access, manage identities, verify transactions, and protect assets across financial, enterprise, E-commerce, government and healthcare markets. Learn more about VASCO at or visit 24